Scribefully

Scribefully—•

Privacy Policy

Last Updated: September 5, 2025

1. Introduction

This Privacy Policy describes how Scribefully ("we," "us," or "our") collects, uses, and protects information when you use our thought leadership discovery platform ("Service"). This Service is operated by an individual based in California.

This Privacy Policy should be read in conjunction with our Terms of Service, which governs your use of the platform.

2. Information We Collect

2.1 Personal Information (Account Users):

  • Email address (required for account creation)
  • First name and last name (for professional attribution)
  • Password (hashed and never stored in plaintext)
  • Profile photos/avatars (optional)
  • Bio text (optional, up to 500 characters)
  • Professional headline (optional, up to 120 characters)
  • Content visibility preferences (controls whether your content is publicly visible or private to you; note: virtual portfolio claims default to public visibility)

2.2 Information You Provide Directly:

  • URLs you submit to the Service
  • Voting activity (upvotes and downvotes on submissions)
  • Authorship claims
  • Comments you post on article pages (up to 2000 characters)
  • Comment deletion actions
  • Profile photos/avatars you upload to your account

2.3 Information Collected Automatically:

  • IP addresses (immediately hashed with salt for privacy protection)
  • Browser type and version
  • Device information and operating system
  • User agent strings (browser/device information)
  • Access times and dates
  • Timestamps (account creation, submissions, votes)
  • Pages viewed and features used via PostHog analytics
  • User behavior analytics (clicks, scrolls, time on page)
  • Referring website addresses
  • Session data (authentication tokens)

2.4 Beta Testing Feedback:

  • Voluntary feedback provided through our feedback collection system
  • Bug reports and feature suggestions
  • User experience feedback and recommendations
  • Contact information if provided in feedback forms

2.5 Analytics and Tracking:

We use PostHog for product analytics to understand how users interact with our Service. PostHog collects:

  • Page views and navigation paths
  • Feature usage and interaction patterns
  • Session recordings (anonymized)
  • Custom events (submissions, votes, claims)
  • Device and browser information

PostHog data is stored on servers in the United States. You can opt out of PostHog tracking by enabling "Do Not Track" in your browser settings.

2.6 Curated Virtual Portfolio Data:

When Scribefully creates virtual portfolios for content curation:

  • Temporary placeholder emails for system management
  • Publicly available professional information (name, bio, headline)
  • URLs to publicly published content
  • Basic contact information for notification purposes
  • IP addresses and timestamps during the claiming process
  • All data is derived from publicly available sources or provided during the claiming process

3. How We Use Your Information

3.1 Core Functionality:

  • Professional attribution (displaying "by [First Name Last Name]")
  • Operate, maintain, and improve the Service
  • Process URL submissions and voting
  • User authentication and session management
  • Display and manage comments on article pages
  • Link comment authors to their portfolio pages

3.2 Anti-Abuse Measures:

  • Prevent spam, abuse, and manipulation through rate limiting and anti-fraud measures
  • IP-based restrictions on submissions/votes
  • Duplicate prevention
  • Vote manipulation prevention
  • Comment rate limiting to prevent spam

3.3 Beta Testing and Platform Improvement:

  • Process voluntary feedback to improve the platform
  • Analyze usage patterns to enhance user experience
  • Identify and fix bugs reported by users
  • Develop new features based on user suggestions

3.4 Other Uses:

  • Ensure Service security and prevent unauthorized access
  • Comply with legal obligations
  • Communicate about Service changes or important updates
  • Send transactional emails via Resend (comment notifications, vote milestones)
  • Analyze platform usage through PostHog to improve features and user experience

4. Third-Party Services

4.1 Supabase (Database & Authentication):

  • Data Stored: All user data, submissions, votes, and comments
  • Purpose: Database hosting, user authentication, real-time features
  • Data Sharing: None - Supabase acts as data processor only

4.2 Render (Hosting):

  • Data Stored: Application logs, server access logs
  • Purpose: Web application hosting and deployment
  • Data Sharing: None

4.3 Google Forms (Beta Feedback Collection):

  • Data Stored: Voluntary feedback responses, contact information if provided
  • Purpose: Beta testing feedback collection and platform improvement
  • Data Sharing: Feedback is used solely for platform development
  • Privacy: Governed by Google's privacy policy for data collected through their forms

4.4 Profile Photos/Avatars:

  • Data Stored: Profile images uploaded by users
  • Processing: Images are compressed, resized, and stripped of metadata for privacy and performance
  • Storage: Securely stored in Supabase cloud infrastructure
  • Purpose: Display with your profile and comments

4.5 External Link Previews:

When you submit URLs, our server fetches public metadata from the linked websites. This process involves:

  • Automated scraping of publicly available metadata (title, description, image)
  • Temporary storage of preview data in our database
  • No access to password-protected or private content
  • Standard HTTP requests with browser user agent information
  • Target websites may log these requests according to their own privacy policies

4.6 Resend (Email Notifications):

  • Data Processed: Email addresses and message content for transactional emails
  • Purpose: Sending comment notifications, vote milestones, and system updates
  • Data Sharing: Resend processes emails on our behalf as a data processor
  • Retention: Email logs retained temporarily for delivery confirmation

4.7 PostHog (Analytics):

  • Data Collected: User behavior, feature usage, and interaction patterns
  • Purpose: Understanding how users interact with our Service to improve functionality
  • Data Storage: Stored on PostHog servers in the United States
  • Opt-out: Enable "Do Not Track" in your browser to opt out of PostHog tracking

5. Cookies and Local Storage

5.1 Browser Storage:

  • localStorage: Temporary storage for pending authorship claims during signup
  • Session cookies: Authentication tokens managed by Supabase
  • Theme preferences: Dark/light mode settings

5.2 Cookie Control:

  • You can control cookies through your browser settings
  • Remember your preferences
  • Analyze Service usage
  • Prevent abuse and ensure security

5.3 Limited Tracking:

  • No advertising cookies
  • PostHog analytics for product improvement only
  • No cross-site tracking for advertising
  • No social media pixels
  • Respects "Do Not Track" browser settings

6. Legal Basis for Processing (International Users)

We process information based on:

  • Legitimate interests in operating the Service and preventing abuse
  • Your consent where required by law
  • Compliance with legal obligations

7. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information only in these circumstances:

  • Legal Requirements: When required by law, court order, or government request
  • Safety and Security: To protect our rights, property, safety, or that of users or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (though none currently planned)
  • Service Providers: With trusted third parties who assist in Service operation (Supabase, Render)

8. Data Security

8.1 Security Measures:

  • Password hashing via Supabase security protocols
  • IP address anonymization through hashing with salt
  • HTTPS encryption for all traffic
  • Database security through Supabase Row Level Security policies
  • Secure data transmission protocols
  • Regular security assessments and vulnerability scanning
  • Limited access to information on a need-to-know basis
  • Row Level Security ensuring users can only delete their own comments
  • Metadata removal from uploaded profile images
  • Prompt notification of data breaches as required by applicable law

8.2 No Sensitive Data:

  • No payment information
  • No government IDs or social security numbers
  • No biometric data
  • No location tracking beyond IP geolocation for spam prevention

8.3 Security Limitations:

However, no method of internet transmission or electronic storage is completely secure.

9. Data Retention

We retain information only as long as necessary to:

  • Provide the Service
  • Comply with legal obligations
  • Resolve disputes
  • Enforce our Terms of Service

Specific Retention:

  • User accounts: Retained until deletion is requested
  • Deleted accounts: Permanently removed from our systems within 30 days of deletion request
  • Submissions: Retained indefinitely for platform value
  • Vote data: Retained for spam prevention and platform integrity
  • Comments: Stored indefinitely unless deleted by the user or administrator
  • Server logs: Retained per hosting provider policies
  • IP addresses: Hashed and not stored in personally identifiable form

10. Your Privacy Rights

10.1 Data Access:

  • View all your submitted content via your account
  • Access your profile information

10.2 Data Modification:

  • Update profile information (first name, last name)
  • Change email address and password
  • Upload, replace, or remove your profile photo
  • Update bio and professional headline information
  • Change content visibility settings (toggle between public and private; claimed virtual portfolios default to public)
  • Note: Submissions cannot be edited after posting

10.3 Data Deletion:

  • Request account deletion by contacting us
  • Submitted content remains but attribution is removed
  • Vote history may be retained for platform integrity
  • Profile photos are permanently deleted when you delete your account or when you manually remove them

10.4 General Rights:

Depending on your location, you may have rights including:

  • Access: Request information about data we collect
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your information
  • Portability: Request a copy of your information
  • Objection: Object to certain processing activities

10.5 Public Information:

  • Comments you post are publicly visible to all site visitors
  • Your real first and last name is displayed with each comment
  • Comment author names link to public portfolio pages
  • Please be aware that even if you delete a comment, it may have been viewed, copied, or stored by other users during the time it was public

Given our minimal data collection and anonymous operation for non-account users, some rights may be limited in scope.

11. California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA):

  • Personal information categories: Identifiers (email, name), internet activity (votes, submissions)
  • Right to know what personal information is collected
  • Right to delete personal information
  • Sale of data: We do not sell personal information
  • Right to opt-out of sale (we don't sell information)
  • Right to non-discrimination for exercising privacy rights

12. International Data Transfers

If you access the Service from outside the United States, your information may be transferred to and processed in the United States, which may have different privacy laws than your jurisdiction.

GDPR (EU Users):

  • Legal basis: Legitimate interest for core functionality
  • Data portability: You can export your submission history
  • Right to be forgotten: Account deletion removes personal attribution
  • Data controller: Scribefully
  • Data processor: Supabase
  • Virtual Portfolio GDPR Compliance: For EU residents, virtual portfolios are created based on legitimate business interests in content curation. Individuals have the right to request immediate removal before or after claiming, and all data is derived from publicly available sources.

13. Age Restrictions

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will delete such information promptly.

14. Third-Party Links

The Service contains links to third-party websites. This Privacy Policy does not apply to third-party sites. We encourage you to review their privacy policies.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will:

  • Post the updated policy on the Service
  • Update the "Effective Date"
  • Notify users of material changes through the Service

Continued use after changes constitutes acceptance.

16. Data Protection Officer

For users in jurisdictions requiring a Data Protection Officer, contact information will be provided as required by applicable law.

17. Contact Information

For privacy-related questions or to exercise your rights, contact us at:

This Privacy Policy should be read in conjunction with our Terms of Service.